Traitor tracing for obfuscated credentials

ABSTRACT

A method, computer program product, and system for providing verification processes associated with a commitment-based authentication protocol are described. A request by a user for access to one or more resources is received, and a presentation policy is transmitted to the user indicating required credentials. A commitment to a revocation handle is received, including an indication of an associated Sigma protocol executed by the user. A challenge value selected from a challenge value set associated with the associated Sigma protocol is transmitted to the user. Based on the selected challenge value, a presentation token and a value parameter that is distinct from the presentation token are received from the user. Based on a determination as to whether the presentation token and value parameter are valid in accordance with the associated Sigma protocol, access for the user to the one or more resources is granted to the user or prevented.

DOMESTIC PRIORITY

This application is a continuation of U.S. Non-provisional applicationSer. No. 15/278,411, entitled “TRAITOR TRACING FOR OBFUSCATEDCREDENTIALS”, filed Sep. 28, 2016, the content of which is incorporatedherein by reference in its entirety.

BACKGROUND

This disclosure relates to cryptographic credentials and, morespecifically, to tracing rogue cryptographic credentials whilepreserving privacy properties of an underlying authentication scheme ofa computing system.

Credentials in cryptography establish the identity of a party to anelectronic, computer-based communication. Cryptographic credentialsusually take the form of machine-readable cryptographic keys and/orpasswords, which can be self-issued, or issued by a trusted third party.In many contemporary cryptographic systems, the only criterion forissuance is unambiguous association of the credential with a specific,real individual or other entity.

SUMMARY

According to at least one embodiment, a method to provide verificationprocesses associated with a commitment-based authentication protocol isimplemented by one or more computing systems and comprises receiving arequest by a user for access to one or more network-accessibleresources; transmitting a presentation policy to the user indicating oneor more credentials required for the requested access; receiving acommitment to a revocation handle, wherein receiving the commitmentincludes receiving an indication of a Sigma protocol associated withdistinct instruction sets P1, P2, and V, and wherein the receivedcommitment includes information indicative of an output of theinstruction set P1; providing to the user a challenge value selectedfrom a challenge value set associated with the indicated Sigma protocol;receiving, from the user and based at least in part on the selectedchallenge value and the indicated Sigma protocol, a presentation tokenand a value parameter that is distinct from the presentation token,wherein the value parameter is indicative of an output of instructionset P2; determining, based at least in part on verifying an output ofthe instruction set V, whether the presentation token and valueparameter are valid in accordance with the indicated Sigma protocol; andgranting access for the user to the one or more network-accessibleresources if it is determined that the presentation token and valueparameter are valid in accordance with the indicated Sigma protocol,otherwise preventing access to the one or more network-accessibleresources by the user.

According to another embodiment, a method to provide verificationprocesses associated with a commitment-based authentication protocol isimplemented by one or more computing systems and comprises receiving arequest by a user for access to one or more resources; transmitting apresentation policy to the user indicating one or more credentialsrequired for the requested access; receiving a commitment to arevocation handle, wherein receiving the commitment includes receivingan indication of an associated Sigma protocol executed by the user;providing to the user a challenge value selected from a challenge valueset associated with the associated Sigma protocol; receiving, from theuser and based at least in part on the selected challenge value and theassociated Sigma protocol, a presentation token and a value parameterthat is distinct from the presentation token; and granting access forthe user to the requested one or more resources if it is determined thatthe presentation token and value parameter are valid in accordance withthe associated Sigma protocol, otherwise preventing access to therequested one or more resources by the user.

According to another embodiment, a non-transitory computer-readablestorage medium has stored contents that, when executed, cause acomputing system to perform a method that comprises receiving a requestby a user for access to one or more resources; transmitting apresentation policy to the user indicating one or more credentialsrequired for the requested access; receiving a commitment to arevocation handle, wherein receiving the commitment includes receivingan indication of an associated Sigma protocol executed by the user;providing to the user a challenge value selected from a challenge valueset associated with the associated Sigma protocol; receiving, from theuser and based at least in part on the selected challenge value and theassociated Sigma protocol, a presentation token and a value parameterthat is distinct from the presentation token; and granting access forthe user to the requested one or more resources if it is determined thatthe presentation token and value parameter are valid in accordance withthe associated Sigma protocol, otherwise preventing access to therequested one or more resources by the user.

According to another embodiment, a computing system comprises one ormore processors and at least one memory that includes instructions that,upon execution by a processor, cause the computing system to perform amethod that includes receiving a request by a user for access to one ormore resources; transmitting a presentation policy to the userindicating one or more credentials required for the requested access;receiving a commitment to a revocation handle, wherein receiving thecommitment includes receiving an indication of an associated Sigmaprotocol executed by the user; providing to the user a challenge valueselected from a challenge value set associated with the associated Sigmaprotocol; receiving, from the user and based at least in part on theselected challenge value and the associated Sigma protocol, apresentation token and a value parameter that is distinct from thepresentation token; and granting access for the user to the requestedone or more resources if it is determined that the presentation tokenand value parameter are valid in accordance with the associated Sigmaprotocol, otherwise preventing access to the requested one or moreresources by the user.

According to another embodiment, a non-transitory computer-readablestorage medium has stored contents that, when executed, cause acomputing system to perform a method that comprises transmitting apresentation policy indicating one or more credentials required forobtaining access to one or more resources; receiving a commitment to arevocation handle, wherein the commitment includes an indication of aSigma protocol; providing a challenge value selected in accordance withthe indicated Sigma protocol; receiving, based at least in part on theselected challenge value and the indicated Sigma protocol, apresentation token and a value parameter; and granting access to therequested one or more resources only if the presentation token and valueparameter are validated in accordance with the indicated Sigma protocol.

Additional features and advantages are realized through the techniquesof the present invention. Other embodiments and aspects of the inventionare described in detail herein and are considered a part of the claimedinvention. For a better understanding of the invention with theadvantages and the features, refer to the description and to thedrawings.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 depicts an exemplary scenario in which the techniques describedherein may be utilized in accordance with an embodiment.

FIG. 2 depicts a block diagram of an exemplary network environment andcomputing system in accordance with an embodiment.

FIG. 3 depicts a process flow for providing access to rights-managedresources in accordance with an embodiment of techniques describedherein.

DETAILED DESCRIPTION

Privacy-preserving Attribute-Based Credentials or Privacy-ABCs,sometimes also known as anonymous credentials or minimal disclosuretokens, allow users to authenticate to verifiers in a privacy-preservingmanner. Issuers assign attributes to users by issuing credentialscontaining the list of attributes for that user. Users can then use thiscredential to convince a verifier that his attributes satisfy certainproperties, but without disclosing more information than strictlynecessary and without being linkable between different presentations.The verifier specifies which attributes must be disclosed or whichpredicates (e.g., equality or inequality) the attributes must fulfill ina presentation policy. Users derive from their credentials apresentation token that provides cryptographic evidence of the disclosedattribute values and that the predicates are satisfied. The verifier cancheck the validity of the presentation token using the issuer's publickey.

Typically, Privacy-ABC schemes are based on signature schemes withefficient zero-knowledge proofs. They allow the issuer to create asignature on a list of attributes and allow the user to later proveknowledge of a valid signature while revealing only a subset of theattributes, or even only the mere fact that a certain predicate over theattributes holds.

In a large-scale deployment of any type of authentication, it is crucialthat one can efficiently revoke credentials that have been lost orcompromised. Due to the privacy features of Privacy-ABCs, revocation isslightly more complicated than for standard public-key infrastructures.For example, a credential may need to be revoked when a rogue credentialhas been detected. Often, it is assumed that the compromised credentialcan be extracted from any code or device that uses it. This assumptionis incorrect, however, when code obfuscation has occurred. Codeobfuscation is a tool that renders executable software code“unintelligible,” in the sense that the internal structure and data ofthe code can no longer be inspected, while preserving the functionalityof the code.

Code obfuscation poses a threat to privacy-preserving authenticationmechanisms because the adversary could embed a compromised credential(which could have been a software-only credential originally, or mayhave been extracted from a hardware device) into a piece of obfuscatedcode that performs valid presentations, but that does not leak anyuniquely identifying information, thereby generating a mostly functionalcredential that cannot be traced.

This disclosure provides a presentation protocol for cryptographiccredentials and, more specifically, for tracing rogue cryptographiccredentials while preserving privacy properties of an underlyingauthentication scheme of a computing system. One or more embodimentsdescribed herein enable one or more processor-based computing systems toidentify a revocation handle associated with a rogue credential evenwhen the source of that rogue credential is deliberately obfuscated,such as in instances of obfuscated software or an obfuscated hardwaredevice. By identifying a revocation handle, the rogue credential itselfmay also be uniquely identified. Thus, the described techniques mayenable the prevention of access to rights-managed resources insituations that might otherwise require preventing such access byadditional users not associated with the rogue credential.

FIG. 1 depicts exemplary transactions between computing systemsassociated with various parties, in which untraceable but verifiablecredentials may be utilized in accordance with certain embodiments ofone or more techniques presented herein. It is understood thatdepictions of human entities within FIG. 1 symbolize particularcomputing systems respectively associated with those entities.

An end user, associated with computing system 300, wishes to presentverifiable credentials to computing systems respectively associated withmultiple verifying entities (“verifiers”), such as in order to gainaccess to particular network-accessible or other resources managed bythose verifying entities. The end user wishes to present to eachverifier only the information required by that verifier. Verifier 1,associated with computing system 350, requires a verified credentialindicating a name for any user requesting access to the resourcesmanaged by Verifier 1. Verifier 2, associated with computing system 360,requires a verified credential indicating that a requesting user residesin one or more accepted locations (one of which is Springfield).

The end user presents, via computing system 300, information verifyinghis identity as John Doe of Springfield to a credential issuerassociated with computing system 305. In response, the credential Issuerissues to the end user (via computing systems 305 and 300) credentials315, which separately indicate a name value of “John Doe” and aresidence value of “Springfield.”

In order to access the resources managed by Verifier 1, the userpresents (via computing system 300) credential 320—which includes theverified name credential of “John Doe” but does not include the verifiedresidence credential of “Springfield”—to the computing system 350associated with Verifier 1. In a similar manner, in order to access theresources managed by Verifier 2, the user presents credential 325—whichincludes the verified residence credential of “Springfield” but not theverified name credential of “John Doe”—to the computing system 360associated with Verifier 2. Verifier 1 and Verifier 2 may each beassured that the credentials respectively presented by the user arevalid, and yet such credentials are untraceable to the credential Issuerassociated with computing system 305. Furthermore, Verifier 1 has noknowledge of the user's residence, and Verifier 2 has no knowledge ofthe user's name. Moreover, Verifier 1 and Verifier 2 are unaware thatthe user has presented the other party with any credential.

In furtherance of the interactions described above, consider acommitment scheme that allows one to commit to a chosen value orstatement while keeping it hidden from others, with the ability toreveal the committed value later. Such commitment schemes are “binding,”such that a party cannot change the value or statement after that partyhas committed to it.

As used herein, a commitment scheme CMT=(Cmt, Open) consists of acommitment instruction set that, on input of a message m∈{0, 1}*,returns a tuple (cmt, op)←Cmt(m) consisting of a commitment cmt andopening information op. To open a commitment—i.e., to show that a givencommitment cmt is a valid commitment to a given message m—one reveals mand op. One can verify the correctness of the commitment by runningOpen(cmt, m, op), which returns 1 if the opening is valid and 0otherwise. In terms of security, the commitment scheme must be hiding inthe sense that cmt does not leak any information about m, and binding inthe sense that it is hard to come up with a commitment cmt, twodifferent messages m/=m′, and two openings op, op′ such that Open(cmt,m, op)=Open(cmt, m′, op′)=1.

A commitment scheme with a Sigma protocol for the language consists ofcommitments, for which the witnesses are the messages and openinginformation:R={(cmt,(m,op)):Open(cmt,m,op)=1}.

As used herein, L⊆{0, 1}* is a language with witness relationship R suchthat x∈L⇔∃w:(x, w)∈R. A Sigma protocol associated to L with challengevalue set C includes distinct instruction sets P₁, P₂, V that make up aninteractive proof protocol as follows:

P₁ is run by the prover on input language element x and witness w. Itoutputs a value t and state information st. The prover sends t to theverifier.

The verifier chooses a random challenge value c←C and sends it to theprover.

The prover computes a response by running s←P₂(c, st) and sends it tothe verifier.

The verifier accepts if and only if V(x, t, c, s)=1.

For security, two properties are required of a sigma protocol: “zeroknowledge” and “special soundness.” As used herein, “zero knowledge”indicates that there exists a simulator Sim such that for all x∈L, theoutput of Sim(x) is indistinguishable from a fresh transcript (t, c, s)generated via an honest interaction of P₁, P₂, V. Also as used herein,“special soundness” indicates that there exists an extractor E that,given two transcripts (t, c, s) and (t, c′, s′) such that V(x, t, c,s)=V(x, t, c′, s′)=1 and c/=c′, computes a witness w←E(x, t, c, s, c′,s′) such that (x, w)∈R.

One example of a commitment scheme in accordance with the techniquesdescribed herein is a Pedersen commitment scheme. Here, G is a cyclicgroup of prime order p where the discrete logarithm problem is hard; g,h←G* are two generators of G. To commit to a message m∈Z_(p), op←Z_(p)is chosen and cmt←g^(m) h^(op) computed. To open a commitment, theverifier checks that cmt=g^(m) h^(op). The associated Sigma protocol isas follows:

P₁(cmt, (m, op)): Choose r₁, r₂←Z_(p), return t←g^(r1) h^(r2) and st=(m,op, r₁, r₂).

The verifier chooses c←Z₂R.

P₂(c, (m, op, r₂, r₂)): Return s₁←cm+r₁ mod p and s₂←cop+r₂ mod p.

V(cmt, t, c, (s₁, s₂)): If g^(s1) h^(s2)=t cmt^(c) then return 1, elsereturn 0.

To be able to revoke individual credentials in a Privacy-ABC system, thecredentials must have some built-in unique identifier by which they canbe revoked, but that for privacy reasons of course cannot be revealedduring a presentation. Such identifier is referenced herein asrevocation handle rh.

When a rogue piece of software or hardware device R is discovered thatcan perform valid presentations, the revocation handle rh must beextracted in order to determine which credential to revoke. In certainembodiments, at least because the code may have been obfuscated to hideall internal structure of the code, it may be desirable to do so withonly “black-box access” to the rogue software, such that only inputvalues and output results are accessible. Likewise, a rogue hardwaredevice may be constructed in a tamperproof manner, making it impossibleto reverse-engineer. In addition, due to privacy properties ofPrivacy-ABCs, presentation tokens do not leak any uniquely identifyinginformation about the underlying credential.

A usual Privacy-ABC presentation is a three-move interaction, where theuser first sends an access request to the verifier, the verifier sendsback a policy describing which credentials are required and whatinformation about them must be revealed, upon which the user creates acorresponding presentation token that it sends back to the verifier. Tobe able to trace rogue credentials, in at least one embodiment suchinteraction is extended with an execution of a Sigma protocol over afresh commitment on the revocation handle. In addition, the underlyingPrivacy-ABC scheme must somehow be able to prove that the revocationhandle in the commitment is the same as the revocation handle of thecredential. For the Privacy-ABC schemes based on zero-knowledge proofsand the Pedersen commitment scheme described above, this can be done byencoding the revocation handle as an attribute in the credential andblending a proof of equal discrete logarithms into the mainzero-knowledge proof. For Privacy-ABC schemes based on obfuscation, thismay be accomplished by the obfuscated circuit checking that a commitmentand opening information given as input indeed contain the revocationhandle, such that the circuit signs the commitment.

In at least one embodiment, a modified presentation protocol inaccordance with the techniques described herein is as follows:

1. The user requests access to a resource at the verifier.

2. The verifier sends a presentation policy to the user.

3. The user creates a commitment to the revocation handle rh that itwill use for the presentation (cmt, op)←Cmt(rh), and performs the firstround of the associated Sigma protocol (t, st)←P₁(cmt, (rh, op)). Theuser sends cmt, t to the verifier.

4. The verifier chooses c←C.

5. The user computes the second round of the Sigma protocol s←P₂(c, st)and invokes the presentation of the underlying Privacy-ABC scheme togenerate a presentation token pt with the additional requirement toprove that the revocation handle in cmt is equal to the revocationhandle in the credential used for the presentation. The user sends s, ptto the verifier.

6. The verifier checks that the presentation token is valid and checksthat V(cmt, t, c, s)=1. If both tests succeed he accepts, otherwise herejects.

If the user knows upfront which credential will be required for thepresentation, then steps 1 and 3 can be merged, as well as steps 2 and4. Note that by the zero-knowledge property of the Sigma protocol, theverifier cannot learn any information about the user's credential thanwhat is revealed in the presentation token pt.

To be useful in this scenario, the rogue software R implements steps 3and 5. The extractor of the Sigma protocol E is utilized to extract therevocation handle rh from R. In particular, have R perform step 3 toobtain cmt, t; provide a random c←C; and have R perform step 5 to obtains, pt from R. Subsequently, R is run again using the same random tape asduring the first run. Step 3 outputs the same cmt, t as during the firstrun. A new c′←C is provided, and R then outputs s′, pt′.

If both runs are successful in making the verifier accept, V(cmt, t, c,s)=V(cmt, t, c′, s′)=1. If in addition c/=c′, the revocation handle maybe extracted by computing (rh, op)←E(cmt, t, c, s, c′, s′). If the roguesoftware R succeeds in making the verifier accept with probability suc,then the probability ext that extraction works is bounded byext≥(suc−/|C|)².

The first term suc on the right hand side is directly related to theusefulness of R as a rogue presentation device. The second term isdetermined by the size of the challenge value set C, which in many Sigmaprotocols (including the one for Pedersen commitments above) may beselected in any appropriate manner.

In at least certain embodiments, one can externally determine theentropy source of R, or at least force it to run twice on the samerandom coins. Typically with respect to rogue software, it is possibleto re-run the same software beginning from a previous state. It ispotentially more difficult for a tamperproof device, however, if it hasits own entropy source on board. Techniques described herein maytherefore be suitable for tracing rogue software.

FIG. 2 illustrates a block diagram of a networked computing system 100for use in practicing the teachings herein, such as for use as one ormore of computing systems 300, 305, 350, and 360 in the illustratedembodiment of FIG. 1. The methods described herein can be performed orotherwise implemented via hardware, software (e.g., firmware), orcombination thereof. In an exemplary embodiment, the methods describedherein are implemented in hardware, and may be part of themicroprocessor of a special or general-purpose digital computer, such asa personal computer, workstation, minicomputer, or mainframe computer.The computing system 100 therefore includes computer 105.

In the illustrated embodiment of FIG. 2, the computer 105 includes aprocessor 110, a challenge value generation module 112, a verificationmanager module 114, a memory 115 coupled to a memory controller 120,internal storage 125, and one or more input and/or output (I/O) devices150 that are communicatively coupled to the computer 105 via a localinput/output controller 135, which in the illustrated embodiment isfurther communicatively coupled to external storage 130. Theinput/output controller 135 may include one or more buses or other wiredor wireless connections, as is known in the art. The input/outputcontroller 135 may further include additional elements, which areomitted for simplicity, such as controllers, buffers (caches), drivers,repeaters, and receivers, to facilitate communications. Further, thelocal interface may include address, control, and/or data connections tofacilitate appropriate communications among the aforementionedcomponents.

Also in the illustrated embodiment, the processor 110 is a hardwaredevice for executing hardware instructions or software, particularlythat stored in memory 115. The processor 110 can be any custom made orcommercially available processor, a central processing unit (CPU), anauxiliary processor among several processors associated with thegeneral-purpose computer 105, a semiconductor based microprocessor (inthe form of a microchip or chip set), a macroprocessor, or generally anydevice for executing instructions.

The memory 115 can include any one or combination of volatile memoryelements (e.g., random access memory (RAM, such as DRAM, SRAM, SDRAM,etc.)) and nonvolatile memory elements (e.g., ROM, erasable programmableread only memory (EPROM), electronically erasable programmable read onlymemory (EEPROM), programmable read only memory (PROM), tape, compactdisc read only memory (CD-ROM), disk, diskette, cartridge, cassette orthe like, etc.). Moreover, the memory 115 may incorporate electronic,magnetic, optical, and/or other types of storage media. Note that thememory 115 can have a distributed architecture, where various componentsare situated remote from one another, but can be accessed by theprocessor 110.

The instructions in the memory 115 may include one or more separateprograms, each of which comprises an ordered listing of executableinstructions for implementing logical functions. In the example of FIG.2, the instructions in the memory 115 include a suitable operatingsystem (OS) 145. The operating system 145 typically controls theexecution of other computer programs and may, among other capabilities,provide scheduling, input-output control, file and data management,memory management, and communication control and related services.

In an exemplary embodiment, I/O devices 150 may include, as non-limitingexamples, a keyboard, mouse, printer, scanner, microphone, a networkinterface card (NIC) or modulator/demodulator (for accessing otherfiles, devices, systems, or a network), a radio frequency (RF) or othertransceiver, a telephonic interface, a bridge, a router, and otherperipherals communicatively coupled to the computer 105 via input/outputcontroller 135. In the depicted embodiment, the computing system 100further includes a display controller 160 coupled to a display 165, anda network interface 170 communicatively coupled to a network 175. Thenetwork 175 may be an IP-based network for communication betweencomputer 105 and any external server, client and the like via abroadband or other network connection. The network 175 transmits andreceives data between the computer 105 and external systems. In anexemplary embodiment, the network 175 may be a managed IP networkadministered by a service provider. The network 175 may be implementedin a wireless fashion, e.g., using wireless protocols and technologies,such as WiFi, WiMax, etc. The network 175 may also be a packet-switchednetwork such as a local area network, wide area network, metropolitanarea network, Internet network, or other similar type of networkenvironment. The network 175 may be a fixed wireless network, a wirelesslocal area network (LAN), a wireless wide area network (WAN) a personalarea network (PAN), a virtual private network (VPN), intranet or othersuitable network system and includes equipment for receiving andtransmitting signals.

In at least some embodiments, the memory 115 may further include a basicinput output system (BIOS) (omitted for simplicity). The BIOS is a setof routines that initialize and test hardware at startup, initiateexecution of the OS 145, and support the transfer of data among thehardware devices. The BIOS is typically stored in ROM so that the BIOSmay be executed when the computer 105 is activated. When the computer105 is in operation, the processor 110 is configured to executeinstructions stored within the memory 115, to communicate data to andfrom the memory 115, and to generally control operations of the computer105 pursuant to the instructions.

FIG. 3 depicts a process flow for a routine providing access torights-managed resources in accordance with an embodiment of techniquesdescribed herein. The depicted routine might be executed, for example,by the computing system 105 of FIG. 2, and in particular by combinedoperations of challenge value generator 112 and verification manager 114as executed by processor 110 in conjunction with the other components ofthe illustrated computing system.

The routine begins at block 205, in which a processor-based devicereceives a request for access to one or more network-accessibleresources. In block 210, the processor-based device transmits apresentation policy indicating one or more credentials required foraccess. In block 215, the processor-based device receives informationindicative of a commitment to a revocation handle, in accordance with anassociated Sigma protocol.

In block 220, the processor-based device selects a challenge value froma challenge value set associated with the associated Sigma protocol, andprovides that selected challenge value to the user. In block 225, theprocessor-based device receives from the user a presentation token and adistinct value parameter in accordance with the associated Sigmaprotocol.

In block 230, the processor-based device determines whether thepresentation token and distinctive value parameter are valid accordingto the associated Sigma protocol. If so, in block 235 theprocessor-based device grants access to the requested resources.Otherwise, in block 240, the processor-based device takes one or moreactions to prevent access to those requested resources.

The descriptions of the various embodiments of the present inventionhave been presented for purposes of illustration, but are not intendedto be exhaustive or limited to the embodiments disclosed. Manymodifications and variations will be apparent to those of ordinary skillin the art without departing from the scope and spirit of the describedembodiments. The terminology used herein was chosen to best explain theprinciples of the embodiments, the practical application or technicalimprovement over technologies found in the marketplace, or to enableothers of ordinary skill in the art to understand the embodimentsdisclosed herein.

It will be appreciated that in some embodiments the functionalityprovided by the routine or routines discussed above may be provided inalternative ways, such as being split among more routines orconsolidated into fewer routines. Similarly, in some embodimentsillustrated routines may provide more or less functionality than isdescribed, such as when other illustrated routines instead lack orinclude such functionality respectively, or when the amount offunctionality that is provided is altered. In addition, while variousoperations may be illustrated as being performed in a particular manner(e.g., in serial or in parallel) and/or in a particular order, it willbe appreciated that in other embodiments the operations may be performedin other orders and in other manners. It will also be appreciated thatparticular data structures discussed above may be structured indifferent manners, such as by having a single data structure split intomultiple data structures or by having multiple data structuresconsolidated into a single data structure. Similarly, in someembodiments, illustrated data structures may store more or lessinformation than is described, such as when other illustrated datastructures instead lack or include such information respectively, orwhen the amount or types of information that is stored is altered.

The present invention may be a system, a method, and/or a computerprogram product. The computer program product may include a computerreadable storage medium (or media) having computer readable programinstructions thereon for causing a processor to carry out aspects of thepresent disclosure.

The computer readable storage medium can be a tangible device that canretain and store instructions for use by an instruction executiondevice. The computer readable storage medium may be, for example, but isnot limited to, an electronic storage device, a magnetic storage device,an optical storage device, an electromagnetic storage device, asemiconductor storage device, or any suitable combination of theforegoing. A non-exhaustive list of more specific examples of thecomputer readable storage medium includes the following: a portablecomputer diskette, a hard disk, a random access memory (RAM), aread-only memory (ROM), an erasable programmable read-only memory (EPROMor Flash memory), a static random access memory (SRAM), a portablecompact disc read-only memory (CD-ROM), a digital versatile disk (DVD),a memory stick, a floppy disk, a mechanically encoded device such aspunch-cards or raised structures in a groove having instructionsrecorded thereon, and any suitable combination of the foregoing. Acomputer readable storage medium, as used herein, is not to be construedas being transitory signals per se, such as radio waves or other freelypropagating electromagnetic waves, electromagnetic waves propagatingthrough a waveguide or other transmission media (e.g., light pulsespassing through a fiber-optic cable), or electrical signals transmittedthrough a wire.

Computer readable program instructions described herein can bedownloaded to respective computing/processing devices from a computerreadable storage medium or to an external computer or external storagedevice via a network, for example, the Internet, a local area network, awide area network and/or a wireless network. The network may comprisecopper transmission cables, optical transmission fibers, wirelesstransmission, routers, firewalls, switches, gateway computers and/oredge servers. A network adapter card or network interface in eachcomputing/processing device receives computer readable programinstructions from the network and forwards the computer readable programinstructions for storage in a computer readable storage medium withinthe respective computing/processing device.

Computer readable program instructions for carrying out operations ofthe present disclosure may be assembler instructions,instruction-set-architecture (ISA) instructions, machine instructions,machine dependent instructions, microcode, firmware instructions,state-setting data, or either source code or object code written in anycombination of one or more programming languages, including an objectoriented programming language such as Smalltalk, C++ or the like, andconventional procedural programming languages, such as the “C”programming language or similar programming languages. The computerreadable program instructions may execute entirely on the user'scomputer, partly on the user's computer, as a stand-alone softwarepackage, partly on the user's computer and partly on a remote computeror entirely on the remote computer or server. In the latter scenario,the remote computer may be connected to the user's computer through anytype of network, including a local area network (LAN) or a wide areanetwork (WAN), or the connection may be made to an external computer(for example, through the Internet using an Internet Service Provider).In some embodiments, electronic circuitry including, for example,programmable logic circuitry, field-programmable gate arrays (FPGA), orprogrammable logic arrays (PLA) may execute the computer readableprogram instructions by utilizing state information of the computerreadable program instructions to personalize the electronic circuitry,in order to perform aspects of the present disclosure

Aspects of the present disclosure are described herein with reference toflowchart illustrations and/or block diagrams of methods, apparatus(systems), and computer program products according to embodiments of thepresent disclosure. It will be understood that each block of theflowchart illustrations and/or block diagrams, and combinations ofblocks in the flowchart illustrations and/or block diagrams, can beimplemented by computer readable program instructions.

These computer readable program instructions may be provided to aprocessor of a general purpose computer, special purpose computer, orother programmable data processing apparatus to produce a machine, suchthat the instructions, which execute via the processor of the computeror other programmable data processing apparatus, create means forimplementing the functions/acts specified in the flowchart and/or blockdiagram block or blocks. These computer readable program instructionsmay also be stored in a computer readable storage medium that can directa computer, a programmable data processing apparatus, and/or otherdevices to function in a particular manner, such that the computerreadable storage medium having instructions stored therein comprises anarticle of manufacture including instructions which implement aspects ofthe function/act specified in the flowchart and/or block diagram blockor blocks.

The computer readable program instructions may also be loaded onto acomputer, other programmable data processing apparatus, or other deviceto cause a series of operational steps to be performed on the computer,other programmable apparatus or other device to produce a computerimplemented process, such that the instructions which execute on thecomputer, other programmable apparatus, or other device implement thefunctions/acts specified in the flowchart and/or block diagram block orblocks.

The flowchart and block diagrams in the Figures illustrate thearchitecture, functionality, and operation of possible implementationsof systems, methods, and computer program products according to variousembodiments of the present disclosure. In this regard, each block in theflowchart or block diagrams may represent a module, segment, or portionof instructions, which comprises one or more executable instructions forimplementing the specified logical function(s). In some alternativeimplementations, the functions noted in the block may occur out of theorder noted in the figures. For example, two blocks shown in successionmay, in fact, be executed substantially concurrently, or the blocks maysometimes be executed in the reverse order, depending upon thefunctionality involved. It will also be noted that each block of theblock diagrams and/or flowchart illustration, and combinations of blocksin the block diagrams and/or flowchart illustration, can be implementedby special purpose hardware-based systems that perform the specifiedfunctions or acts or carry out combinations of special purpose hardwareand computer instructions.

What is claimed is:
 1. A computer-implemented method for tracing roguecryptographic credentials, the computer-implemented method comprising:receiving, by a verifier computing system, a request from a user foraccess to a resource, wherein the user is a first user; transmitting, bythe verifier computing system, a presentation policy to the userindicating one or more credentials required to obtain access to theresource; receiving, by the verifier computing system, a commitment to arevocation handle and a first output of a first round of an interactiveproof protocol executed by the user, wherein the revocation handle is afirst revocation handle; providing, by the verifier computing system tothe user, a challenge value selected from a challenge value setassociated with the interactive proof protocol; receiving, by theverifier computing system from the user, and based at least in part onthe challenge value and the interactive proof protocol, a presentationtoken and a second output of a second round of the interactive proofprotocol executed by the user; determining, by the verifier computingsystem, that the presentation token and the second output are valid inaccordance with a third round of the interactive proof protocol executedby the verifier computing system; granting, by the verifier computingsystem, access to the user to the resource; receiving, by the verifiercomputing system, information indicating existence of a rogue credentialthat is intended to obtain access to the resource, wherein the roguecredential is not associated with uniquely identifying informationassociated with a user of the rogue credential; identifying, by theverifier computing system, a second revocation handle associated withthe rogue credential based at least in part on a second challenge valueselected from the challenge value set; and preventing, by the verifiercomputing system, future access to the resource by the user associatedwith the second revocation handle.
 2. The computer-implemented method ofclaim 1, wherein the request for access and the commitment to therevocation handle are provided in a single first electroniccommunication received from the user, and wherein the presentationpolicy and selected challenge value are provided to the user in a singlesecond electronic communication.
 3. The computer-implemented method ofclaim 1, wherein the rogue credential is provided by at least one ofobfuscated software or a hardware device.
 4. The computer-implementedmethod of claim 1, wherein the interactive proof protocol is a Sigmaprotocol associated with distinct instruction sets P1, P2, and V, thefirst output is an output of the instruction set P1, the second outputis an output of the instruction set P2, and determining that thepresentation token and value parameter are valid comprises verifying anoutput of the instruction set V.
 5. The computer-implemented method ofclaim 1, further comprising randomly selecting, by the verifiercomputing system, the challenge value from a value space associated withthe interactive proof protocol.
 6. A verifier computing system fortracing rouge cryptographic credentials, the verifier computing systemcomprising: at least one memory storing computer-executableinstructions; and at least one processor configured to access the atleast one memory and execute the computer-executable instructions to:receive a request from a user for access to a resource, wherein the useris a first user; transmit a presentation policy to the user indicatingone or more credentials required to obtain access to the resource;receive a commitment to a revocation handle and a first output of afirst round of an interactive proof protocol executed by the user,wherein the revocation handle is a first revocation handle; provide, tothe user, a challenge value selected from a challenge value setassociated with the interactive proof protocol; receive, from the userand based at least in part on the challenge value and the interactiveproof protocol, a presentation token and a second output of a secondround of the interactive proof protocol executed by the user; determinethat the presentation token and the second output are valid inaccordance with a third round of the interactive proof protocol executedby the verifier computing system; grant access to the user to theresource; receive information indicating existence of a rogue credentialthat is intended to obtain access to the resource, wherein the roguecredential is not associated with uniquely identifying informationassociated with a user of the rogue credential; identify a secondrevocation handle associated with the rogue credential based at least inpart on a second challenge value selected from the challenge value set;and prevent future access to the resource by the user associated withthe second revocation handle.
 7. The verifier computing system of claim6, wherein the request for access and the commitment to the revocationhandle are provided in a single first electronic communication receivedfrom the user, and wherein the presentation policy and selectedchallenge value are provided to the user in a single second electroniccommunication.
 8. The verifier computing system of claim 6, wherein therogue credential is provided by at least one of obfuscated software or ahardware device.
 9. The verifier computing system of claim 6, whereinthe interactive proof protocol is a Sigma protocol associated withdistinct instruction sets P1, P2, and V, the first output is an outputof the instruction set P1, the second output is an output of theinstruction set P2, and determining that the presentation token andvalue parameter are valid comprises verifying an output of theinstruction set V.
 10. The verifier computing system of claim 6, whereinthe at least one processor is further configured to execute thecomputer-executable instructions to randomly select the challenge valuefrom a value space associated with the interactive proof protocol.
 11. Acomputer program product for tracing rogue cryptographic credentials,the computer program product comprising a non-transitory storage mediumreadable by a processing circuit, the non-transitory storage mediumstoring instructions executable by the processing circuit to cause amethod comprising: receiving, by a verifier computing system, a requestfrom a user for access to a resource, wherein the user is a first user;transmitting a presentation policy to the user indicating one or morecredentials required to obtain access to the resource; receiving acommitment to a revocation handle and a first output of a first round ofan interactive proof protocol executed by the user, wherein therevocation handle is a first revocation handle; providing, to the user,a challenge value selected from a challenge value set associated withthe interactive proof protocol; receiving, from the user, and based atleast in part on the challenge value and the interactive proof protocol,a presentation token and a second output of a second round of theinteractive proof protocol executed by the user; determining that thepresentation token and the second output are valid in accordance with athird round of the interactive proof protocol executed by the verifiercomputing system; granting access to the user to the resource; receivinginformation indicating existence of a rogue credential that is intendedto obtain access to the resource, wherein the rogue credential is notassociated with uniquely identifying information associated with a userof the rogue credential; identifying a second revocation handleassociated with the rogue credential based at least in part on a secondchallenge value selected from the challenge value set; and preventingfuture access to the resource by the user associated with the secondrevocation handle.
 12. The computer program product of claim 11, whereinthe request for access and the commitment to the revocation handle areprovided in a single first electronic communication received from theuser, and wherein the presentation policy and selected challenge valueare provided to the user in a single second electronic communication.13. The computer program product of claim 11, wherein the roguecredential is provided by at least one of obfuscated software or ahardware device.
 14. The computer program product of claim 11, whereinthe interactive proof protocol is a Sigma protocol associated withdistinct instruction sets P1, P2, and V, the first output is an outputof the instruction set P1, the second output is an output of theinstruction set P2, and determining that the presentation token andvalue parameter are valid comprises verifying an output of theinstruction set V.